HTTPS Cipher Suite Algorithm Guidance

Problem to solve

Sites that use HTTPS assume that they are safe as long as they have a valid certificate. However, there are web servers that can use older, outdated versions of TLS with insecure ciphers as part of communication. Use of these older algorithms can expose organizations to attack. Without a deep understanding of cryptography or the ciphers that are insecure, it is difficult to know if a server is using best practice ciphers or is vulnerable. An attacker could cause a web server to use an insecure, but supported, cipher as part of HTTPS to conduct an attack.

Intended users

• Rachel (Release Manager)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)
• Sam (Security Analyst)

Further details

This is in a similar problem space as #36871 (closed).

Proposal

Allow users to specify a URL they wish to monitor and test it to ensure it only supports the latest and secure ciphers for communication. If it supports older, insecure ciphers, inform users and help them understand what it means so they can take a next step manually. For this issue, we are intending only to inform, rather than doing an update for users.

UX

1. User goes to Cloud Exposure page under Security & Compliance tab.
2. User adds a URL to monitor with scanning and saves.
3. Scanning is performed on a periodic basis.
4. User reviews scanning results in a report page.

Collaborate with UX on designs

Questions:

1. How much detail is needed for first version without overloading users?
2. Should (can) we limit scanning only to GitLab-hosted domains? Or Kubernetes clusters?

Follow-on work

Show users if the cipher suite results mean they pass/fail certain compliance requirements, such as PCI-DSS, NIST, and HIPPA.

Permissions and Security

Users must be able to view all other content on the Security Dashboard to use this capability.

Documentation

Provide documentation to explain the problem we solve at a high-level, what the various results mean, and a reasonable set of next steps for common cases.

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

GitLab Ultimate

Links / references

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.